File name:

41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe

Full analysis: https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: January 10, 2025, 20:39:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
amadey
botnet
stealer
loader
lumma
themida
auto
stealc
netreactor
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0A7F88A22AE393BE6AAF81E99911559E

SHA1:

618BD53DCB394611C6EE90199ABE534D40DD6958

SHA256:

41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE

SSDEEP:

98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • AMADEY mutex has been found

      • axplong.exe (PID: 5096)
      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 3608)
      • axplong.exe (PID: 5320)
    • Connects to the CnC server

      • axplong.exe (PID: 5096)
      • svchost.exe (PID: 2192)
    • AMADEY has been detected (SURICATA)

      • axplong.exe (PID: 5096)
      • defnur.exe (PID: 2996)
    • AMADEY has been found (auto)

      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
    • AMADEY has been detected (YARA)

      • axplong.exe (PID: 5096)
      • defnur.exe (PID: 2996)
    • STEALER has been found (auto)

      • axplong.exe (PID: 5096)
    • StealC has been detected

      • 696969.exe (PID: 5316)
    • Steals credentials from Web Browsers

      • legs.exe (PID: 1616)
    • STEALC has been detected (YARA)

      • 696969.exe (PID: 5316)
    • Actions looks like stealing of personal data

      • legs.exe (PID: 1616)
    • LUMMA mutex has been found

      • legs.exe (PID: 1616)
    • LUMMA has been detected (YARA)

      • legs.exe (PID: 1616)
  • SUSPICIOUS

    • Reads the BIOS version

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
    • Reads security settings of Internet Explorer

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
      • defnur.exe (PID: 2996)
      • 696969.exe (PID: 5316)
    • Starts itself from another location

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • am209.exe (PID: 5268)
    • Executable content was dropped or overwritten

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
    • Potential Corporate Privacy Violation

      • axplong.exe (PID: 5096)
    • Contacting a server suspected of hosting an CnC

      • axplong.exe (PID: 5096)
      • svchost.exe (PID: 2192)
      • defnur.exe (PID: 2996)
    • Process requests binary or script from the Internet

      • axplong.exe (PID: 5096)
    • Application launched itself

      • legs.exe (PID: 4556)
    • Connects to the server without a host name

      • axplong.exe (PID: 5096)
      • defnur.exe (PID: 2996)
      • 696969.exe (PID: 5316)
    • Executes application which crashes

      • legs.exe (PID: 4556)
      • 696969.exe (PID: 5316)
    • Windows Defender mutex has been found

      • 696969.exe (PID: 5316)
    • There is functionality for enable RDP (YARA)

      • defnur.exe (PID: 2996)
    • The process executes via Task Scheduler

      • axplong.exe (PID: 3608)
      • defnur.exe (PID: 2132)
      • axplong.exe (PID: 5320)
      • defnur.exe (PID: 3560)
    • Searches for installed software

      • 696969.exe (PID: 5316)
  • INFO

    • Sends debugging messages

      • axplong.exe (PID: 5096)
      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 3608)
      • axplong.exe (PID: 5320)
    • Create files in a temporary directory

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
    • Checks proxy server information

      • axplong.exe (PID: 5096)
      • WerFault.exe (PID: 1328)
      • defnur.exe (PID: 2996)
      • 696969.exe (PID: 5316)
      • WerFault.exe (PID: 1348)
    • Checks supported languages

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
      • legs.exe (PID: 4556)
      • legs.exe (PID: 1616)
      • am209.exe (PID: 5268)
      • defnur.exe (PID: 2996)
      • 696969.exe (PID: 5316)
      • defnur.exe (PID: 2132)
      • axplong.exe (PID: 3608)
      • defnur.exe (PID: 3560)
      • axplong.exe (PID: 5320)
    • Reads the computer name

      • axplong.exe (PID: 5096)
      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • legs.exe (PID: 4556)
      • legs.exe (PID: 1616)
      • am209.exe (PID: 5268)
      • 696969.exe (PID: 5316)
      • defnur.exe (PID: 2996)
    • Process checks computer location settings

      • 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe (PID: 5864)
      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
    • The process uses the downloaded file

      • axplong.exe (PID: 5096)
      • am209.exe (PID: 5268)
    • Creates files or folders in the user directory

      • axplong.exe (PID: 5096)
      • WerFault.exe (PID: 1328)
    • Reads the machine GUID from the registry

      • legs.exe (PID: 1616)
    • Reads the software policy settings

      • legs.exe (PID: 1616)
      • WerFault.exe (PID: 1328)
      • WerFault.exe (PID: 1348)
    • Themida protector has been detected

      • axplong.exe (PID: 5096)
    • .NET Reactor protector has been detected

      • legs.exe (PID: 1616)
    • Reads product name

      • 696969.exe (PID: 5316)
    • Reads Environment values

      • 696969.exe (PID: 5316)
    • Reads CPU info

      • 696969.exe (PID: 5316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(5096) axplong.exe
C2185.215.113.16
URLhttp://185.215.113.16/Jo89Ku7d/index.php
Version4.41
Options
Drop directory44111dbc49
Drop nameaxplong.exe
Strings (119)lv:
kernel32.dll
GET
&&
?scr=1
4.41
------
exe
Doctor Web
wb
Sophos
ESET
Programs
%-lu
abcdefghijklmnopqrstuvwxyz0123456789-_
av:
un:
-executionpolicy remotesigned -File "
Content-Type: multipart/form-data; boundary=----
\0000
Content-Type: application/x-www-form-urlencoded
rundll32
44111dbc49
pc:
DefaultSettings.XResolution
--
ar:
2016
id:
:::
Startup
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
dm:
SYSTEM\ControlSet001\Services\BasicDisplay\Video
cred.dll|clip.dll|
"
og:
&unit=
rundll32.exe
" && ren
/k
Avira
<d>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
360TotalSecurity
" Content-Type: application/octet-stream
os:
axplong.exe
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
%USERPROFILE%
zip
/quiet
#
CurrentBuild
Powershell.exe
cmd
DefaultSettings.YResolution
Main
ProductName
msi
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
dll
rb
r=
clip.dll
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
VideoID
POST
Content-Disposition: form-data; name="data"; filename="
2019
/Plugins/
2022
d1
Norton
" && timeout 1 && del
.jpg
ps1
shutdown -s -t 0
sd:
ProgramData\
e0
185.215.113.16
bi:
-%lu
GetNativeSystemInfo
e2
Comodo
ComputerName
------
st=s
\App
random
0123456789
Panda Security
vs:
shell32.dll
https://
\
http://
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/Jo89Ku7d/index.php
|
AVG
cmd /C RMDIR /s/q
WinDefender
"taskkill /f /im "
+++
S-%lu-
cred.dll
AVAST Software
&& Exit"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rem
Bitdefender
=
e1
<c>
(PID) Process(2996) defnur.exe
C2185.215.113.209
URLhttp://185.215.113.209/Fru7Nk9/index.php
Version5.04
Options
Drop directoryfc9e0aaab7
Drop namedefnur.exe
Strings (125)lv:
kernel32.dll
GET
&&
?scr=1
00000422
------
exe
Doctor Web
wb
Sophos
ESET
Programs
%-lu
abcdefghijklmnopqrstuvwxyz0123456789-_
av:
un:
-executionpolicy remotesigned -File "
Content-Type: multipart/form-data; boundary=----
\0000
Content-Type: application/x-www-form-urlencoded
rundll32
pc:
DefaultSettings.XResolution
--
ar:
2016
id:
:::
5.04
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup
dm:
SYSTEM\ControlSet001\Services\BasicDisplay\Video
00000423
cred.dll|clip.dll|
"
og:
&unit=
rundll32.exe
fc9e0aaab7
" && ren
00000419
defnur.exe
/k
Avira
<d>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
360TotalSecurity
" Content-Type: application/octet-stream
os:
e3
0000043f
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
%USERPROFILE%
zip
/quiet
#
CurrentBuild
Powershell.exe
cmd
DefaultSettings.YResolution
Main
ProductName
msi
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
dll
rb
r=
clip.dll
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
VideoID
POST
Content-Disposition: form-data; name="data"; filename="
2019
/Plugins/
185.215.113.209
2022
d1
Norton
" && timeout 1 && del
.jpg
ps1
shutdown -s -t 0
sd:
ProgramData\
bi:
-%lu
GetNativeSystemInfo
e2
Comodo
ComputerName
------
st=s
\App
random
0123456789
Panda Security
vs:
shell32.dll
https://
\
http://
Keyboard Layout\Preload
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
AVG
/Fru7Nk9/index.php
cmd /C RMDIR /s/q
WinDefender
"taskkill /f /im "
+++
S-%lu-
cred.dll
2025
AVAST Software
&& Exit"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rem
Bitdefender
=
e1
<c>
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x32b000
UninitializedDataSize: -
InitializedDataSize: 104960
CodeSize: 321024
LinkerVersion: 14.24
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:07:25 12:10:38+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
15
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe #AMADEY axplong.exe legs.exe conhost.exe no specs #LUMMA legs.exe werfault.exe #LUMMA svchost.exe #AMADEY am209.exe #AMADEY defnur.exe #STEALC 696969.exe axplong.exe defnur.exe no specs werfault.exe axplong.exe defnur.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5864"C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe" C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5096"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe" C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Amadey
(PID) Process(5096) axplong.exe
C2185.215.113.16
URLhttp://185.215.113.16/Jo89Ku7d/index.php
Version4.41
Options
Drop directory44111dbc49
Drop nameaxplong.exe
Strings (119)lv:
kernel32.dll
GET
&&
?scr=1
4.41
------
exe
Doctor Web
wb
Sophos
ESET
Programs
%-lu
abcdefghijklmnopqrstuvwxyz0123456789-_
av:
un:
-executionpolicy remotesigned -File "
Content-Type: multipart/form-data; boundary=----
\0000
Content-Type: application/x-www-form-urlencoded
rundll32
44111dbc49
pc:
DefaultSettings.XResolution
--
ar:
2016
id:
:::
Startup
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
dm:
SYSTEM\ControlSet001\Services\BasicDisplay\Video
cred.dll|clip.dll|
"
og:
&unit=
rundll32.exe
" && ren
/k
Avira
<d>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
360TotalSecurity
" Content-Type: application/octet-stream
os:
axplong.exe
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
%USERPROFILE%
zip
/quiet
#
CurrentBuild
Powershell.exe
cmd
DefaultSettings.YResolution
Main
ProductName
msi
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
dll
rb
r=
clip.dll
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
VideoID
POST
Content-Disposition: form-data; name="data"; filename="
2019
/Plugins/
2022
d1
Norton
" && timeout 1 && del
.jpg
ps1
shutdown -s -t 0
sd:
ProgramData\
e0
185.215.113.16
bi:
-%lu
GetNativeSystemInfo
e2
Comodo
ComputerName
------
st=s
\App
random
0123456789
Panda Security
vs:
shell32.dll
https://
\
http://
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/Jo89Ku7d/index.php
|
AVG
cmd /C RMDIR /s/q
WinDefender
"taskkill /f /im "
+++
S-%lu-
cred.dll
AVAST Software
&& Exit"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rem
Bitdefender
=
e1
<c>
4556"C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe" C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe
axplong.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\appdata\local\temp\1001527001\legs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exelegs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616"C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe"C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe
legs.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1001527001\legs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
1328C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4556 -s 136C:\Windows\SysWOW64\WerFault.exe
legs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5268"C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe" C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe
axplong.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1004899001\am209.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2996"C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe" C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
am209.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\fc9e0aaab7\defnur.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Amadey
(PID) Process(2996) defnur.exe
C2185.215.113.209
URLhttp://185.215.113.209/Fru7Nk9/index.php
Version5.04
Options
Drop directoryfc9e0aaab7
Drop namedefnur.exe
Strings (125)lv:
kernel32.dll
GET
&&
?scr=1
00000422
------
exe
Doctor Web
wb
Sophos
ESET
Programs
%-lu
abcdefghijklmnopqrstuvwxyz0123456789-_
av:
un:
-executionpolicy remotesigned -File "
Content-Type: multipart/form-data; boundary=----
\0000
Content-Type: application/x-www-form-urlencoded
rundll32
pc:
DefaultSettings.XResolution
--
ar:
2016
id:
:::
5.04
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup
dm:
SYSTEM\ControlSet001\Services\BasicDisplay\Video
00000423
cred.dll|clip.dll|
"
og:
&unit=
rundll32.exe
fc9e0aaab7
" && ren
00000419
defnur.exe
/k
Avira
<d>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
360TotalSecurity
" Content-Type: application/octet-stream
os:
e3
0000043f
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
%USERPROFILE%
zip
/quiet
#
CurrentBuild
Powershell.exe
cmd
DefaultSettings.YResolution
Main
ProductName
msi
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
dll
rb
r=
clip.dll
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
VideoID
POST
Content-Disposition: form-data; name="data"; filename="
2019
/Plugins/
185.215.113.209
2022
d1
Norton
" && timeout 1 && del
.jpg
ps1
shutdown -s -t 0
sd:
ProgramData\
bi:
-%lu
GetNativeSystemInfo
e2
Comodo
ComputerName
------
st=s
\App
random
0123456789
Panda Security
vs:
shell32.dll
https://
\
http://
Keyboard Layout\Preload
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
AVG
/Fru7Nk9/index.php
cmd /C RMDIR /s/q
WinDefender
"taskkill /f /im "
+++
S-%lu-
cred.dll
2025
AVAST Software
&& Exit"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rem
Bitdefender
=
e1
<c>
5316"C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe" C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe
axplong.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\1010910001\696969.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
17 254
Read events
17 245
Write events
9
Delete events
0

Modification events

(PID) Process:(5096) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5096) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5096) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2996) defnur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2996) defnur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2996) defnur.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5316) 696969.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5316) 696969.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5316) 696969.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
8
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1328WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer
MD5:
SHA256:
1328WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp
MD5:
SHA256:
1348WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer
MD5:
SHA256:
586441877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exeC:\Windows\Tasks\axplong.jobbinary
MD5:D446F281DFEBA704B5320A0013F90407
SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503
1328WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F5.tmp.dmpbinary
MD5:10DD4789E29A610D920E179A6065F235
SHA256:9E9E1566D184B80B11AAE2B7665637277B3E1F871C8D46CCED0CAAA79F36F818
1328WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERAA1F.tmp.WERInternalMetadata.xmlxml
MD5:36BCF3516079CB45F21B95DD9A2CA12D
SHA256:292E3D4BC617BFFE1B10F5C93C3FF37D62513377FD8C83101FB4D10DEFD543C4
5268am209.exeC:\Windows\Tasks\defnur.jobbinary
MD5:90BB6E0DD851EA0D50E416EF6D42E49C
SHA256:BE277E49A8A5307E2B5A7DD1EAFF0FCA01290A11DA223DCE17F499CB6F8874C9
1328WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERAA4F.tmp.xmlxml
MD5:42A98A39F238CBFBF8A74E30EB2A2689
SHA256:2E3D1EE950A29A6335D59264D27032EA124CAA576B855734B8FC80977EDE6299
586441877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exeC:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exeexecutable
MD5:0A7F88A22AE393BE6AAF81E99911559E
SHA256:41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
5096axplong.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\696969[1].exeexecutable
MD5:89AD45B4A0E2D547C1E09D0A1EA94DF6
SHA256:18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
30
DNS requests
20
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3296
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5096
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3296
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5096
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
malicious
5096
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
malicious
5096
axplong.exe
GET
200
185.215.113.16:80
http://185.215.113.16/inc/legs.exe
unknown
malicious
5096
axplong.exe
GET
200
185.215.113.16:80
http://185.215.113.16/test/am209.exe
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5096
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3296
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3296
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3296
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5096
axplong.exe
185.215.113.16:80
1337team Limited
SC
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
pancakedipyps.click
malicious
nearycrepso.shop
malicious
abruptyopsn.shop
malicious
wholersorie.shop
malicious
framekgirus.shop
malicious
tirepublicerj.shop
malicious

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Misc activity
ET INFO Packed Executable Download
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)
2 ETPRO signatures available at the full report
Process
Message
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------